Reworked fix for ITS#3140 - add access parameter to backend_attribute

2024-12-21 03:10:25 +08:00 · 2004-08-18 17:14:22 +00:00 · 2004-08-18 17:14:22 +00:00 · 91033d6552
commit 91033d6552
parent d504ae047e
6 changed files with 22 additions and 23 deletions
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@ -1431,7 +1431,7 @@ dn_match_cleanup:;
 				while ( parent_ndn.bv_val != old_parent_ndn.bv_val ){
 					old_parent_ndn = parent_ndn;
 					Debug(LDAP_DEBUG_ACL, "checking ACI of %s\n", parent_ndn.bv_val, 0, 0);
-					ret = backend_attribute(op, NULL, &parent_ndn, b->a_aci_at, &bvals);
+					ret = backend_attribute(op, NULL, &parent_ndn, b->a_aci_at, &bvals, ACL_AUTH);
 					switch(ret){
 					case LDAP_SUCCESS :
 						stop = 0;
@ -1803,7 +1803,7 @@ aci_set_gather (SetCookie *cookie, struct berval *name, struct berval *attr)
 		AttributeDescription *desc = NULL;
 		if (slap_bv2ad(attr, &desc, &text) == LDAP_SUCCESS) {
 			backend_attribute(cp->op,
-				cp->e, &ndn, desc, &bvals);
+				cp->e, &ndn, desc, &bvals, ACL_NONE);
 		}
 		slap_sl_free(ndn.bv_val, cp->op->o_tmpmemctx);
 	}
@ -1821,12 +1821,9 @@ aci_match_set (
 	struct berval	set = BER_BVNULL;
 	int		rc = 0;
 	AciSetCookie	cookie;
-	Operation	op2 = *op;
-
-	op2.o_conn = NULL;

 	if (setref == 0) {
-		ber_dupbv_x( &set, subj, op2.o_tmpmemctx );
+		ber_dupbv_x( &set, subj, op->o_tmpmemctx );
 	} else {
 		struct berval		subjdn, ndn = BER_BVNULL;
 		struct berval		setat;
@ -1848,9 +1845,9 @@ aci_match_set (
 		 * as the length of the dn to be normalized
 		 */
 		if ( slap_bv2ad( &setat, &desc, &text ) == LDAP_SUCCESS ) {
-			if ( dnNormalize( 0, NULL, NULL, &subjdn, &ndn, op2.o_tmpmemctx ) == LDAP_SUCCESS )
+			if ( dnNormalize( 0, NULL, NULL, &subjdn, &ndn, op->o_tmpmemctx ) == LDAP_SUCCESS )
 			{
-				backend_attribute( &op2, e, &ndn, desc, &bvals );
+				backend_attribute( op, e, &ndn, desc, &bvals, ACL_NONE );
 				if ( bvals != NULL && !BER_BVISNULL( &bvals[0] ) ) {
 					int	i;

@ -1861,18 +1858,18 @@ aci_match_set (
 					bvals[0].bv_val = bvals[i-1].bv_val;
 					BER_BVZERO( &bvals[i-1] );
 				}
-				ber_bvarray_free_x( bvals, op2.o_tmpmemctx );
-				slap_sl_free( ndn.bv_val, op2.o_tmpmemctx );
+				ber_bvarray_free_x( bvals, op->o_tmpmemctx );
+				slap_sl_free( ndn.bv_val, op->o_tmpmemctx );
 			}
 		}
 	}

 	if ( !BER_BVISNULL( &set ) ) {
-		cookie.op = &op2;
+		cookie.op = op;
 		cookie.e = e;
 		rc = ( slap_set_filter( aci_set_gather, (SetCookie *)&cookie, &set,
-			&op2.o_ndn, &e->e_nname, NULL ) > 0 );
-		slap_sl_free( set.bv_val, op2.o_tmpmemctx );
+			&op->o_ndn, &e->e_nname, NULL ) > 0 );
+		slap_sl_free( set.bv_val, op->o_tmpmemctx );
 	}

 	return(rc);
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@ -1483,7 +1483,8 @@ backend_attribute(
 	Entry	*target,
 	struct berval	*edn,
 	AttributeDescription *entry_at,
-	BerVarray *vals )
+	BerVarray *vals,
+	slap_access_t access )
 {
 	Entry *e;
 	Attribute *a;
@ -1504,8 +1505,8 @@ backend_attribute(
 		if ( a ) {
 			BerVarray v;

-			if ( op->o_conn && access_allowed( op,
-				e, entry_at, NULL, ACL_AUTH,
+			if ( op->o_conn && access > ACL_NONE && access_allowed( op,
+				e, entry_at, NULL, access,
 				&acl_state ) == 0 ) {
 				rc = LDAP_INSUFFICIENT_ACCESS;
 				goto freeit;
@ -1516,10 +1517,10 @@ backend_attribute(
 			v = op->o_tmpalloc( sizeof(struct berval) * (i+1),
 				op->o_tmpmemctx );
 			for ( i=0,j=0; a->a_vals[i].bv_val; i++ ) {
-				if ( op->o_conn && access_allowed( op,
+				if ( op->o_conn && access > ACL_NONE && access_allowed( op,
 					e, entry_at,
 					&a->a_nvals[i],
-					ACL_AUTH, &acl_state ) == 0 ) {
+					access, &acl_state ) == 0 ) {
 					continue;
 				}
 				ber_dupbv_x( &v[j],
--- a/servers/slapd/overlays/collect.c
+++ b/servers/slapd/overlays/collect.c
@ -72,7 +72,7 @@ collect_response( Operation *op, SlapReply *rs )
 			/* Extract the values of the desired attribute from
 			 * the ancestor entry
 			 */
-			rc = backend_attribute( op, NULL, &ci->ci_dn, ci->ci_ad, &vals );
+			rc = backend_attribute( op, NULL, &ci->ci_dn, ci->ci_ad, &vals, ACL_READ );

 			/* If there are any values, merge them into the
 			 * current entry
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@ -274,7 +274,8 @@ LDAP_SLAPD_F (int) backend_attribute LDAP_P((
 	Entry *target,
 	struct berval *entry_ndn,
 	AttributeDescription *entry_at,
-	BerVarray *vals
+	BerVarray *vals,
+	slap_access_t access
 ));

 LDAP_SLAPD_F (int) backend_operational LDAP_P((
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@ -1112,7 +1112,7 @@ slap_sasl_check_authz( Operation *op,
 	   assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
 #endif

-	rc = backend_attribute( op, NULL, searchDN, ad, &vals );
+	rc = backend_attribute( op, NULL, searchDN, ad, &vals, ACL_AUTH );
 	if( rc != LDAP_SUCCESS ) goto COMPLETE;

 	/* Check if the *assertDN matches any *vals */
--- a/servers/slapd/syncrepl.c
+++ b/servers/slapd/syncrepl.c
@ -344,7 +344,7 @@ do_syncrep1(

 		/* read stored cookie if it exists */
 		backend_attribute( op, NULL, &op->o_req_ndn,
-			slap_schema.si_ad_syncreplCookie, &cookie );
+			slap_schema.si_ad_syncreplCookie, &cookie, ACL_READ );

 		if ( !cookie ) {
 			/* no stored cookie */
@ -399,7 +399,7 @@ do_syncrep1(
 			struct berval cookie_bv;
 			/* try to read stored cookie */
 			backend_attribute( op, NULL, &op->o_req_ndn,
-				slap_schema.si_ad_syncreplCookie, &cookie );
+				slap_schema.si_ad_syncreplCookie, &cookie, ACL_READ );
 			if ( cookie ) {
 				ber_dupbv( &cookie_bv, &cookie[0] );
 				ber_bvarray_add( &si->si_syncCookie.octet_str, &cookie_bv );